X-Git-Url: https://granicus.if.org/sourcecode?a=blobdiff_plain;f=docs%2Fmanual%2Fmod%2Fcore.html.en;h=d6c611fd65a922ee577d246a8a723878731ca44d;hb=74a5f93a855ae16c600b8837aaf4c8793a44041d;hp=dec3675ed60e450d4362a0b9e5af6e3cde9cdd97;hpb=deaf36d8795da46aa251a033aad06cfaa2b59c73;p=apache diff --git a/docs/manual/mod/core.html.en b/docs/manual/mod/core.html.en index dec3675ed6..d6c611fd65 100644 --- a/docs/manual/mod/core.html.en +++ b/docs/manual/mod/core.html.en @@ -19,7 +19,7 @@
Apache HTTP Server Version 2.5
-Note that a syntax error in a valid directive will still cause - an internal server error.
+ an Internal Server Error.In the example above, only the Redirect
and
RedirectMatch
directives are allowed. All others will
- cause an internal server error.
Example:
@@ -603,7 +608,7 @@ AllowOverrideList CookieTracking CookieName grants permission to theAuthConfig
directive grouping and AllowOverrideList
grants
permission to only two directives from the FileInfo
directive
- grouping. All others will cause an internal server error.
+ grouping. All others will cause an Internal Server Error.
ap_add_common_vars()
may choose to respect the setting
as well.
+Description: | Controls how some CGI variables are set |
---|---|
Syntax: | CGIVar variable rule |
Context: | directory, .htaccess |
Override: | FileInfo |
Status: | Core |
Module: | core |
Compatibility: | Available in Apache HTTP Server 2.4.21 and later |
This directive controls how some CGI variables are set.
+ +REQUEST_URI rules:
+original-uri
(default)current-uri
mod_rewrite
. In order to prevent confusion, numbered
(unnamed) backreferences are ignored. Use named groups instead.
-<DirectoryMatch "^/var/www/combined/(?<sitename>[^/]+)"> +<DirectoryMatch "^/var/www/combined/(?<sitename>[^/]+)"> Require ldap-group cn=%{env:MATCH_SITENAME},ou=combined,o=Example </DirectoryMatch>@@ -1040,7 +1071,7 @@ sections are combined when a request is receivedDescription: Directory that forms the main document tree visible from the web - Syntax: DocumentRoot directory-path
+ Default: DocumentRoot /usr/local/apache/htdocs
Default: DocumentRoot "/usr/local/apache/htdocs"
Context: server config, virtual host Status: Core @@ -1347,12 +1378,12 @@ in case of an error whether the parameter is an URL, a path or a message is performed before any expression is parsed. Examples: - Module: core ErrorDocument 500 http://foo.example.com/cgi-bin/tester -ErrorDocument 404 /cgi-bin/bad_urls.pl +ErrorDocument 500 http://example.com/cgi-bin/server-error.cgi +ErrorDocument 404 /errors/bad_urls.php ErrorDocument 401 /subscription_info.html -ErrorDocument 403 "Sorry can't allow you access today" +ErrorDocument 403 "Sorry, can't allow you access today" ErrorDocument 403 Forbidden! -ErrorDocument 403 /cgi-bin/forbidden.pl?referrer=%{escape:%{HTTP_REFERER}}+ErrorDocument 403 /errors/forbidden.py?referrer=%{escape:%{HTTP_REFERER}}Additionally, the special value
default
can be used @@ -1620,7 +1651,7 @@ ErrorLogFormat "[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M%This would result in error messages such as:
-+ +-
+
@@ -1827,7 +1858,7 @@ filenames does. However, it accepts a regular expression. For example:
[Thu May 12 08:28:57.652118 2011] [core:error] [pid 8777:tid 4326490112] [client ::1:58619] File does not exist: /usr/local/apache2/htdocs/favicon.ico
<FilesMatch ".+\.(gif|jpe?g|png)$"> +<FilesMatch ".+\.(gif|jpe?g|png)$"> # ... </FilesMatch>@@ -1845,7 +1876,7 @@ filenamesmod_rewrite
. In order to prevent confusion, numbered (unnamed) backreferences are ignored. Use named groups instead. -<FilesMatch "^(?<sitename>[^/]+)"> +<FilesMatch "^(?<sitename>[^/]+)"> require ldap-group cn=%{env:MATCH_SITENAME},ou=combined,o=Example </FilesMatch>@@ -1994,6 +2025,82 @@ media type in the HTTP Content-Type header field directives, a hostname lookup will be performed regardless of the setting ofHostnameLookups
. +HttpProtocolOptions Directive
++
++ Description: Modify restrictions on HTTP Request Messages + Syntax: HttpProtocolOptions [Strict|Unsafe] [StrictURL|UnsafeURL] + [RegisteredMethods|LenientMethods] [Allow0.9|Require1.0]
+ Default: HttpProtocolOptions Strict StrictURL LenientMethods Allow0.9
+ Context: server config, virtual host + Status: Core + Module: core + Compatibility: 2.2.32 or 2.4.24 and later This directive changes the rules applied to the HTTP Request Line + (RFC 7230 §3.1.1) and the HTTP Request Header Fields + (RFC 7230 §3.2), which are now applied by default or using + the
+ +Strict
option. Due to legacy modules, applications or + custom user-agents which must be deperecated,Unsafe
+ andUnsafeURL
options have been added to revert to the legacy + behaviors. These rules are applied prior to request processing, so must be + configured at the global or default (first) matching virtual host section, + by IP/port interface and not by name, to be honored.Prior to the introduction of this directive, the Apache HTTP Server + request message parsers were tolerant of a number of forms of input + which did not conform to the protocol. + RFC 7230 §9.4 Request Splitting and + §9.5 Response Smuggling call out only two of the potential + risks of accepting non-conformant request messages, while + RFC 7230 §3.5 "Message Parsing Robustness" identify the + risks of accepting obscure whitespace and request message formatting. + As of the introduction of this directive, all grammer rules of the + specification are enforced in the default
+ +Strict
operating + mode, and the strict whitespace suggested by section 3.5 is enforced + and cannot be relaxed.RFC 3986 §2.2 and 2.3 define "Reserved Characters" and + "Unreserved Characters". All other character octets are required to + be %XX encoded under this spec, and RFC7230 defers to these requirements. + By default the
+ +StrictURI
option will reject all requests + containing invalid characters. This rule can be relaxed with the +UnsafeURI
option to support badly written user-agents.Users are strongly cautioned against toggling the
+ +Unsafe
+ orUnsafeURI
modes of operation, particularly on + outward-facing, publicly accessible server deployments. + If an interface is required for faulty monitoring or other custom service + consumers running on an intranet, users should toggle only those Unsafe + options which are necessary, and only on a specific virtual host configured + to service only their internal private network.Reviewing the messages logged to the
+ +ErrorLog
, + configured withLogLevel
debug
level, + can help identify such faulty requests along with their origin. + Users should pay particular attention to the 400 responses in the access + log for invalid requests which were unexpectedly rejected.RFC 7231 §4.1 "Request Methods" "Overview" requires that + origin servers shall respond with an error when an unsupported method + is encountered in the request line. This already happens when the +
+ +LenientMethods
option is used, but administrators may wish + to toggle theRegisteredMethods
option and register any + non-standard methods using theRegisterHttpMethod
+ directive, particularly if theUnsafe
option has been toggled. + TheRegisteredMethods
option should not + be toggled for forward proxy hosts, as the methods supported by the + origin servers are unknown to the proxy server.RFC 2616 §19.6 "Compatibility With Previous Versions" had + encouraged HTTP servers to support legacy HTTP/0.9 requests. RFC 7230 + superceeds this with "The expectation to support HTTP/0.9 requests has + been removed" and offers additional comments in + RFC 7230 Appendix A. The
+Require1.0
option allows + the user to remove support of the defaultAllow0.9
option's + behavior.@@ -3602,7 +3709,7 @@ directory<If> Directive
@@ -2830,7 +2937,7 @@ matching URLsmod_rewrite
. In order to prevent confusion, numbered (unnamed) backreferences are ignored. Use named groups instead. -<LocationMatch "^/combined/(?<sitename>[^/]+)"> +<LocationMatch "^/combined/(?<sitename>[^/]+)"> require ldap-group cn=%{env:MATCH_SITENAME},ou=combined,o=Example </LocationMatch>@@ -3341,10 +3448,10 @@ or specified mutexes holding a mutex that uses this implementation, the server will deadlock and stop responding to requests. When this occurs, the server will require a manual restart to recover. -Solaris is a notable exception as it provides a mechanism which +
Solaris and Linux are notable exceptions as they provide a mechanism which usually allows the mutex to be recovered after a child process terminates abnormally while holding a mutex.
-If your system implements the +
If your system is POSIX compliant or if it implements the
pthread_mutexattr_setrobust_np()
function, you may be able to use thepthread
option safely.Normally, if multiple
Options
could apply to a directory, then the most specific one is used and - others are ignored; the options are not merged. (See how sections are merged.) + others are ignored; the options are not merged. (See how sections are merged.) However if all the options on theOptions
directive are preceded by a+
or-
symbol, the options are @@ -3765,7 +3872,7 @@ directoryQualifyRedirectURL Directive
-
Description: Controls whether the REDIRECT_URL environent variable is + Description: Controls whether the REDIRECT_URL environment variable is fully qualified Syntax: QualifyRedirectURL ON|OFF
@@ -4070,7 +4177,7 @@ to name-virtual hosts in the order they appear in the configuration. The first matching Default: QualifyRedirectURL OFF
ServerName
orServerAlias
is used, with no different precedence for wildcards (nor for ServerName vs. ServerAlias). -The complete list of names in the
VirtualHost
+The complete list of names in the
@@ -4086,20 +4193,24 @@ to name-virtual hosts<VirtualHost>
directive are treated just like a (non wildcard)ServerAlias
.
- Description: Hostname and port that the server uses to identify itself + Syntax: ServerName [scheme://]fully-qualified-domain-name[:port]
Syntax: ServerName [scheme://]domain-name|ip-address[:port]
Context: server config, virtual host Status: Core Module: core The
+ request scheme, hostname and port that the server uses to identify itself. + -ServerName
directive sets the - request scheme, hostname and - port that the server uses to identify itself. This is used when - creating redirection URLs.Additionally,
ServerName
is used (possibly - in conjunction withServerAlias
) to uniquely ++
ServerName
is used (possibly + in conjunction withServerAlias
) to uniquely identify a virtual host, when using name-based virtual hosts.Additionally, this is used when + creating self-referential redirection URLs when +
+UseCanonicalName
is set to a non-default + value.For example, if the name of the machine hosting the web server is
-simple.example.com
, but the machine also has the DNS aliaswww.example.com
@@ -4114,9 +4225,10 @@ itself each appearance overrides the previous appearance (within that server).If no
+ServerName
is specified, then the - server attempts to deduce the client visible hostname by performing a - reverse lookup on an IP address of the systems hostname.If no
ServerName
is specified, the + server attempts to deduce the client visible hostname by first asking + the operating system for the system hostname, and if that fails, + performing a reverse lookup on an IP address present on the system.If no port is specified in the
ServerName
, then the server will use the @@ -4331,11 +4443,12 @@ header
- Description: Forces all matching files to be processed by a handler + Syntax: SetHandler handler-name|None
Syntax: SetHandler handler-name|none|expression
Context: server config, virtual host, directory, .htaccess Override: FileInfo Status: Core + Module: core Compatibility: 2.5 and later When placed into an
.htaccess
file or a<Directory>
or @@ -4368,6 +4481,14 @@ handler </FilesMatch> +String-valued expressions can be used to reference per-request + variables, including backreferences to named regular expressions:
+ +<LocationMatch ^/app/(?<sub>[^/]+)/> + SetHandler "proxy:unix:/var/run/app_%{env:MATCH_sub}.sock|fcgi://localhost:8080" +</LocationMatch>+ +You can override an earlier defined
@@ -4458,10 +4579,14 @@ certain events before failing a requestSetHandler
directive by using the valueNone
.The
-TimeOut
directive defines the length of time Apache httpd will wait for I/O in various circumstances:-
+ @@ -4501,16 +4626,18 @@ certain events before failing a request- When reading data from the client, the length of time to +
+
- + empty. +
When reading data from the client, the length of time to wait for a TCP packet to arrive if the read buffer is - empty.
For initial data on a new connection, this directive doesn't + take effect until after any configured
++ AcceptFilter
has passed the new connection to the server.- When writing data to the client, the length of time to wait for an acknowledgement of a packet if the send buffer is @@ -4476,7 +4601,7 @@ certain events before failing a request
- In
-mod_proxy
, the default timeout value ifProxyTimeout
is not configured.Finally, for testing and diagnostic purposes only, request bodies may be allowed using the non-compliant
+ body. As a proxy server, the request body is not restricted to 64Kb.TraceEnable extended
directive. The core (as an origin server) will - restrict the request body to 64k (plus 8k for chunk headers if + restrict the request body to 64Kb (plus 8Kb for chunk headers ifTransfer-Encoding: chunked
is used). The core will reflect the full headers and all chunk headers with the response - body. As a proxy server, the request body is not restricted to 64k.Note
-Despite claims to the contrary,
+ +TRACE
is not - a security vulnerability, and there is no viable reason for - it to be disabled. Doing so necessarily makes your server - noncompliant.Despite claims to the contrary, enabling the
+TRACE
+ method does not expose any security vulnerability in Apache httpd. + TheTRACE
method is defined by the HTTP/1.1 + specification and implementations are expected to support it.